veilor-os/README.md

# veilor-os

> Hardened minimal Fedora KDE remix. Black-on-black. Locked down by default.

veilor-os is a Fedora 43 KDE spin built for operators who want a clean, fast,
opinionated desktop with serious hardening already in place. No prompts at
install beyond the LUKS passphrase. Boot, set admin password, work.

## Highlights

- **Single-prompt install** — only LUKS passphrase. No account wizard, no
  initial-setup screen. `admin` account is created automatically; password
  is set on first boot.
- **Hardened by default** — SELinux enforcing, USBGuard, fail2ban, firewalld
  drop zone, kernel sysctl lockdown, NTS-authenticated NTP, DNS-over-TLS.
- **3-mode power management** — `veilor-power save | mid | perf`, with
  AC/battery auto-switching via udev. Backed by tuned profiles.
- **Fira Code system font** — programming ligatures, monospace
  consistency across UI + terminal. (DuckSans planned for v0.3.)
- **Pure-black KDE color scheme** — `veilor-black` theme system-wide.
- **LUKS2 + Secure Boot** — argon2id, aes-xts, btrfs subvolumes, zram swap
  (no disk swap, no cold-boot leak).
- **Reproducible build** — kickstart + podman + livemedia-creator. ISO
  output is deterministic given pinned base.

## Repo layout

```
kickstart/   veilor-os.ks                full kickstart definition
build/       Containerfile + build-iso.sh   reproducible ISO builder
overlay/     files dropped into installed root via %post
scripts/     hardening, SELinux policy, theme apply, firstboot
assets/      fonts, KDE color scheme, branding, plymouth theme
docs/        HARDENING / POWER / BUILD / INSTALL
test/        boot-checklist + findings log
```

See `docs/BUILD.md` for build instructions, `docs/INSTALL.md` for install,
`docs/HARDENING.md` for what's locked down and why.

## Status

Pre-release. v0.x. Repo private until first green ISO boots clean on test
hardware.

## License

MIT — see [LICENSE](LICENSE). Fira Code ships from Fedora's
`fira-code-fonts` package under SIL OFL 1.1.
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`# veilor-os`

			`> Hardened minimal Fedora KDE remix. Black-on-black. Locked down by default.`

			`veilor-os is a Fedora 43 KDE spin built for operators who want a clean, fast,`
			`opinionated desktop with serious hardening already in place. No prompts at`
			`install beyond the LUKS passphrase. Boot, set admin password, work.`

			`## Highlights`

			`- Single-prompt install — only LUKS passphrase. No account wizard, no`
			initial-setup screen. `admin` account is created automatically; password
			`is set on first boot.`
			`- Hardened by default — SELinux enforcing, USBGuard, fail2ban, firewalld`
			`drop zone, kernel sysctl lockdown, NTS-authenticated NTP, DNS-over-TLS.`
			- 3-mode power management — `veilor-power save \| mid \| perf`, with
			`AC/battery auto-switching via udev. Backed by tuned profiles.`
fonts: swap DuckSans → Fira Code (Fedora fira-code-fonts, SIL OFL 1.1) 2026-04-30 03:57:17 +01:00			`- Fira Code system font — programming ligatures, monospace`
			`consistency across UI + terminal. (DuckSans planned for v0.3.)`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			- Pure-black KDE color scheme — `veilor-black` theme system-wide.
			`- LUKS2 + Secure Boot — argon2id, aes-xts, btrfs subvolumes, zram swap`
			`(no disk swap, no cold-boot leak).`
			`- Reproducible build — kickstart + podman + livemedia-creator. ISO`
			`output is deterministic given pinned base.`

			`## Repo layout`

			```
			`kickstart/ veilor-os.ks full kickstart definition`
			`build/ Containerfile + build-iso.sh reproducible ISO builder`
			`overlay/ files dropped into installed root via %post`
			`scripts/ hardening, SELinux policy, theme apply, firstboot`
			`assets/ fonts, KDE color scheme, branding, plymouth theme`
			`docs/ HARDENING / POWER / BUILD / INSTALL`
			`test/ boot-checklist + findings log`
			```

			See `docs/BUILD.md` for build instructions, `docs/INSTALL.md` for install,
			`docs/HARDENING.md` for what's locked down and why.

			`## Status`

			`Pre-release. v0.x. Repo private until first green ISO boots clean on test`
			`hardware.`

			`## License`

fonts: swap DuckSans → Fira Code (Fedora fira-code-fonts, SIL OFL 1.1) 2026-04-30 03:57:17 +01:00			`MIT — see [LICENSE](LICENSE). Fira Code ships from Fedora's`
			`fira-code-fonts` package under SIL OFL 1.1.